Analysis
-
max time kernel
18s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-06-2021 03:22
Static task
static1
General
-
Target
0fea2fa264e0e861daef324f43e81b76c06fa9b0d7de2e4eccf75bae1999568c.dll
-
Size
170KB
-
MD5
db92e7a0555c45e53014560908462542
-
SHA1
c1114f6bd3b0687dd63766657e17d13e4f18c054
-
SHA256
0fea2fa264e0e861daef324f43e81b76c06fa9b0d7de2e4eccf75bae1999568c
-
SHA512
a4238e8cd1c4281fc52bf4953ce9ec476bf9a8800a8da8b744ed7a1693ca7055584f7a52b73486f26bd842224828dd72a6bb2aeff327293f9b63703c68693736
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
210.65.244.187:443
162.241.41.92:2303
46.231.204.10:8172
185.183.159.100:4125
rc4.plain
rc4.plain
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2276 created 3900 2276 WerFault.exe rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/3900-115-0x0000000073A10000-0x0000000073A3F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2276 3900 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2276 WerFault.exe 2276 WerFault.exe 2276 WerFault.exe 2276 WerFault.exe 2276 WerFault.exe 2276 WerFault.exe 2276 WerFault.exe 2276 WerFault.exe 2276 WerFault.exe 2276 WerFault.exe 2276 WerFault.exe 2276 WerFault.exe 2276 WerFault.exe 2276 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2276 WerFault.exe Token: SeBackupPrivilege 2276 WerFault.exe Token: SeDebugPrivilege 2276 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3892 wrote to memory of 3900 3892 rundll32.exe rundll32.exe PID 3892 wrote to memory of 3900 3892 rundll32.exe rundll32.exe PID 3892 wrote to memory of 3900 3892 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0fea2fa264e0e861daef324f43e81b76c06fa9b0d7de2e4eccf75bae1999568c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0fea2fa264e0e861daef324f43e81b76c06fa9b0d7de2e4eccf75bae1999568c.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 6483⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken